Filebeat - 仅在第一次输入日志文件时缺少打开“{”?
[英]Filebeat - Missing opening “{” on first entry of log file only?
问题描述
I have a JSON log file that looks like this:
我有一个 JSON 日志文件,如下所示:
{"timestamp": "2021-03-20 13:56:07,568", "action": "ws.RegisterUser", "uuid": "e46bfe57-083d-43f9-86fa-4c94626032fe", "application_id": "App_Caller", "ip": "1.2.3.4", "log_level": "INFO", "event": "request", "system": "App_Host", "user_id": "1234567"}
{"timestamp": "2021-03-20 13:56:07,679", "action": "ws.RegisterUser", "uuid": "e46bfe57-083d-43f9-86fa-4c94626032fe", "application_id": "App_Caller", "ip": "1.2.3.4", "log_level": "INFO", "event": "request", "system": "Integration_1", "integration_action": "Create User", "user_id": "1234567"}
{"timestamp": "2021-03-20 13:56:07,789", "action": "ws.RegisterUser", "uuid": "e46bfe57-083d-43f9-86fa-4c94626032fe", "application_id": "App_Caller", "ip": "1.2.3.4", "log_level": "INFO", "event": "response", "system": "Integration_1", "integration_action": "Create User", "result": "01", "user_id": "1234567"}
Running this through Filebeat (v7.12.0) on Ubuntu 20.10, I keep getting this error:通过 Ubuntu 20.10 上的 Filebeat (v7.12.0) 运行此程序,我不断收到此错误:
"Error decoding JSON: invalid character 'i' in literal true (expecting 'r')"
always on the first JSON item, the other two are decoded successfully.始终在第一个 JSON 项目上,其他两个成功解码。
I've changed the order of the items but the error always occurs on whichever happens to be the first.我已经更改了项目的顺序,但错误总是发生在第一个发生的地方。
I then commented the JSON configs, and noticed that the Filebeat output is missing the opening "{" on the first line:然后我评论了 JSON 配置,并注意到 Filebeat output 在第一行缺少开头的“{”:
...
"message": "timestamp\": \"2021-03-20 13:56:07,568\", \"action\": \"ws.RegisterUser\", \"uuid\": \"e46bfe57-083d-43f9-86fa-4c94626032fe\", \"application_id\": \"App_Caller\", \"ip\": \"1.2.3.4\", \"log_level\": \"INFO\", \"event\": \"request\", \"system\": \"App_Host\", \"user_id\": \"1234567\"}",
...
"message": "{\"timestamp\": \"2021-03-20 13:56:07,679\", \"action\": \"ws.RegisterUser\", \"uuid\": \"e46bfe57-083d-43f9-86fa-4c94626032fe\", \"application_id\": \"App_Caller\", \"ip\": \"1.2.3.4\", \"log_level\": \"INFO\", \"event\": \"request\", \"system\": \"Integration_1\", \"integration_action\": \"Create User\", \"user_id\": \"1234567\"}",
...
"message": "{\"timestamp\": \"2021-03-20 13:56:07,789\", \"action\": \"ws.RegisterUser\", \"uuid\": \"e46bfe57-083d-43f9-86fa-4c94626032fe\", \"application_id\": \"App_Caller\", \"ip\": \"1.2.3.4\", \"log_level\": \"INFO\", \"event\": \"response\", \"system\": \"Integration_1\", \"integration_action\": \"Create User\", \"result\": \"01\", \"user_id\": \"1234567\"}",
...
This is my config file:这是我的配置文件:
filebeat:
config:
modules:
path: /etc/filebeat/modules.d/*.yml
reload:
enabled: false
inputs:
- enabled: false
paths:
- /var/log/*.log
type: log
- enabled: false
paths:
- /var/log/*.log
type: filestream
- enabled: true
paths:
- /home/kubs/Documents/fb/test_*.log
# json.message_key: event
# json.add_error_key: true
type: log
output:
# elasticsearch:
# hosts:
# - localhost:9200
console:
pretty: true
path:
config: /etc/filebeat
data: /var/lib/filebeat
home: /usr/share/filebeat
logs: /var/log/filebeat
processors:
- add_host_metadata:
when:
not:
contains:
tags: forwarded
- add_cloud_metadata: null
- add_docker_metadata: null
- add_kubernetes_metadata: null
setup:
kibana: null
template:
settings:
index:
number_of_shards: 1
I've done some searches, and found similar cases of the JSON decoding error message (but never in a scenario as simple as mine), but found no mention of any missing "{" on first line.我做了一些搜索,发现 JSON 解码错误消息的类似情况(但从来没有像我这样简单的场景),但在第一行没有提到任何丢失的“{”。
I suspect the issues may be related, but I'm not really sure.我怀疑这些问题可能是相关的,但我不确定。
Am I missing something obvious that could explain this behaviour, and the cause of the JSON decoding error?我是否遗漏了一些可以解释这种行为的明显内容,以及 JSON 解码错误的原因?
1 个解决方案
解决方案1
0 2021-03-31 14:56:36
As is usually the case, a few more minutes of re-reading my question could've helped me come up with something else to try.通常情况下,再花几分钟重新阅读我的问题可能会帮助我想出其他尝试。
I've had some issues with Filebeat registry files (Logstash was so much simpler), so I've come up with a convoluted way to repeatedly process the same file, involving "clearing" it with an echo 1 > $file , deleting it and restoring it to its former contents with a new name, along with stopping/starting Filebeat.我对 Filebeat 注册表文件有一些问题(Logstash 要简单得多),所以我想出了一种复杂的方法来重复处理同一个文件,包括用echo 1 > $file “清除”它,删除它并使用新名称将其恢复到以前的内容,同时停止/启动 Filebeat。
So, I've just deleted all the log files, created a new file with the same contents, changed my config from this所以,我刚刚删除了所有日志文件,创建了一个具有相同内容的新文件,更改了我的配置
paths:
- /home/kubs/Documents/fb/test_*.log
to this (specify the actual file)为此(指定实际文件)
paths:
- /home/kubs/Documents/fb/test_20210331153923.log
and now everything works as expected, including the JSON decoding.现在一切正常,包括 JSON 解码。
I don't know yet what's causing the missing "{", so if anyone has any ideas, I'd like to hear them.我还不知道是什么导致了丢失的“{”,所以如果有人有任何想法,我想听听他们的意见。 Otherwise, I'll just accept this as an answer in a couple of days.否则,我会在几天内接受这个作为答案。
Edit: It definitely has to do with the way I was running my tests, the way Filebeat keeps state and the reuse of inodes on Linux.编辑:这肯定与我运行测试的方式有关,Filebeat 保持 state 的方式以及在 Linux 上重用 inode 的方式。
Here's the last three entries on the registry file:这是注册表文件中的最后三个条目:
{"op":"set","id":150}
{"k":"filebeat::logs::native::406026-2051","v":{"id":"native::406026-2051","prev_id":"","source":"/home/kubs/Documents/fb/test_20210331162059.log","offset":2,"timestamp":[258565806201,1617204774],"ttl":-1,"type":"log","FileStateOS":{"inode":406026,"device":2051},"identifier_name":"native"}}
{"op":"set","id":151}
{"k":"filebeat::logs::native::406026-2051","v":{"type":"log","FileStateOS":{"inode":406026,"device":2051},"identifier_name":"native","prev_id":"","source":"/home/kubs/Documents/fb/test_20210331163246.log","timestamp":[258567741346,1617204774],"ttl":-1,"id":"native::406026-2051","offset":2}}
{"op":"set","id":152}
{"k":"filebeat::logs::native::406026-2051","v":{"timestamp":[258575697063,1617204775],"FileStateOS":{"inode":406026,"device":2051},"identifier_name":"native","prev_id":"","source":"/home/kubs/Documents/fb/test_20210331163246.log","ttl":-1,"type":"log","id":"native::406026-2051","offset":858}}
The first entry (id: 150) has source "/home/kubs/Documents/fb/test_20210331162059.log" and offset 2 (which is after I "clear" the file).第一个条目(id:150)有源“/home/kubs/Documents/fb/test_20210331162059.log”和偏移量2(这是在我“清除”文件之后)。 The "FileStateOS" is {"inode":406026,"device":2051}. "FileStateOS" 是 {"inode":406026,"device":2051}。
After I delete the file and create the new one, we get the next entry (id: 151), which has source "/home/kubs/Documents/fb/test_20210331163246.log" (the new log file, with the JSON contents), but still has the same "FileStateOS":{"inode":406026,"device":2051}, ie, the inode was reused, and has the same offset.在我删除文件并创建新文件后,我们得到下一个条目(id:151),它的源为“/home/kubs/Documents/fb/test_20210331163246.log”(新的日志文件,内容为 JSON) , 但仍然有相同的 "FileStateOS":{"inode":406026,"device":2051},即 inode 被重用,并且具有相同的偏移量。
And that's why the "{" was always missing on the first line, because the offset was always 2.这就是为什么第一行总是缺少“{”,因为偏移量总是 2。
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.